What's the difference between OpenID and OAuth?

up vote251down votefavorite 110	I'm really trying to understand the difference between OpenID and OAuth? Maybe they're two totally separate things? openid oauth share|improve this question edited Oct 5 '11 at 15:16 bluefoot 2,70421437 asked Jul 6 '09 at 13:40 Micah 23.1k30119222

7 Answers

activeoldestvotes

up vote222down voteaccepted

OpenID is about authentication (ie. proving who you are), OAuth is about authorisation (ie. to grant access to functionality/data/etc.. without having to deal with the original authentication). OAuth could be used in external partner sites to allow access to protected data without them having to re-authenticate a user. The blog post "OpenID versus OAuth from the user’s perspective" has a simple comparison of the two from the user's perspective and "OAuth-OpenID: You’re Barking Up the Wrong Tree if you Think They’re the Same Thing" has more information about it. OpenID versus OAuth from the user’s perspective Published on April 01, 2008 and tagged with oauth  openid In this article I want to show the differences between OpenID and its younger cousin OAuth by providing for each a typical user scenario. First the scenario for OpenID: User wants to access his account on example.com example.com (the “Relying Party” in OpenID lingo) asks the user for his OpenID User enters his OpenID example.com redirects the user to his OpenID provider User authenticates himself to the OpenID provider OpenID provider redirects the user back to example.com example.com allows the user to access his account And now the scenario for OAuth: User is on example.com and wants to import his contacts from mycontacts.com example.com (the “Consumer” in OAuth lingo) redirects the user to mycontacts.com (the “Service Provider”) User authenticates himself to mycontacts.com (which can happen by using OpenID) mycontacts.com asks the user whether he wants to authorize example.com to access his contacts User makes his choice mycontacts.com redirects the user back to example.com example.com retrieves the contacts from mycontacts.com example.com informs the user that the import was successful From those scenarios we can see that OpenID is about authentication (i.e. I can identify myself with an url) whereas OAuth is about authorization (i.e. I can grant permission to access my data on some website to another website, without providing this website the authentication information for the original website). I hope this helps to keep apart those two standards :)